The present invention relates to a method for protecting stored-program control systems from being overwritten.
Methods for protecting stored-program control systems, which are preferably used in motor vehicles, are already known. In German Patent No. 43 44 866 a control device, in particular a motor vehicle control device, is programmed via an external programming device. In order to prevent unintentional programming, an inquiry must be made by the control device to the external programming device. The inquiry is accomplished via a means which can detect a signal to authorize programming if the external programming device is connected with its serial transmission line to the control device. After this security inquiry, programming of the control device is accomplished into a programmable nonvolatile memory of the control device, via the serial interface. This conventional method represents a purely hardware-based programming protection system. The purely hardware based protection system for the programmable memory requires the use of various electronic components in the control device, which are capable of detecting connection of the data transmission line on a hardware basis. This implies additional physical complexity for the control device.
Also, simple software security systems, which generally invoked by the programming device or tester, are conventional. With purely software-based security systems, there is always the risk that a skip in the program routine will cause authorization for programming to be granted incorrectly.
The method according to the present invention has the advantage that unintentional programming of the program memory cannot occur, since the programming routine contains additional security inquiries which check for authorization before execution of each programming segment. It is particularly advantageous if the programming routines that are stored in the control device are structured in the form of modules. As a result, unintentional deletion and writing of new data into the programmable memory is no longer possible, since the program cannot be activated even by an unintentional jump to an arbitrary position.
It is also advantageous to assemble the program routine from instruction sequences. When the instruction sequence is executed, authorization is also checked after each instruction.
It is advantageous in this context to store authorization flags in a RAM (random access memory). Advantageously, the authorization is performed not simply by storing once, but by repeatedly storing the authorization flag in the RAM in redundant fashion, and further programming can be accomplished only after checking multiple authorization flags.
A further advantageous embodiment is represented by storage of the authorization in the form of specific RAM address contents, whereby the program routine checks the contents of the addresses. It is also possible to generate the authorization as a combination of registers and data transferred from the programming device.
It is further advantageous, for authorization of the programming routine, for signals to be sent by the external programming device, which causes flags to be set in the programming routine.
This authorization can be implemented by the external programming device as a one-time transfer of the authorization signals, so that the authorizations are accessed in memory during programming.
Also advantageous, however, is a variant which queries the authorization from the programming device between the